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DETAILED ACTION 



1. 



The response of 6/5/09 was received and considered. 



2. 



Claims 2-14 and 16-21 are pending. 



Response to Arguments 



3. Applicant's arguments, filed 6/5/09, with respect to the rejection(s) of 
claim(s) 2-14 and 16-21 under Rowland in view of Baker have been fully 
considered and are persuasive. Therefore, the rejection has been withdrawn. 
However, upon further consideration, a new ground(s) of rejection is made in 
view of Anderson. 



4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 



5. Claims 2-14 and 16-21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Anderson et al., US 2003/0002436 and further in view of Lin 
et. al., US 6,405,250. 



Claim Rejections - 35 USC § 103 



Regarding claims 2 and 18, Anderson discloses a system that detects the state 
of a computer network, comprising: 
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agents disposed in said computer network (fig. 1, sensors 104), each said agent 
comprising: 

data collection means for passively collecting, monitoring, and aggregating data 
representative of activities of respective nodes within said computer network 
010023, director 102 activates an initial subset of sensors 104a-104n to monitor 
and collect descriptive data for network traffic routed over the network link of 
interest and/or related links, fig, 2, block 202, and fig. 1 , client network nodes 
108); 

means responsive to the data from the data collection means for analyzing said 
data to develop activity models representative of activities of said network in a 
normal state and activities of said network in an abnormal state fl|0024 and fig. 2, 
block 204); and 

means for comparing collected data to said activity models to determine the state 
of said computer network at different times and to dynamically update said 
activity models fl|0025-0026 and fig. 2, block 206 and U0040), 
wherein said analyzing means performs a pattern analysis on the collected data 
and said comparing means compares the results of the pattern analysis of data 
collected by an agent to the results of pattern analysis of data collected by 
analyzing means of other agents to identify similar patterns of suspicious activity 
in different portions of the computer network (fig. 2, block 208, If additional 
monitoring or data collection is "preferred", director 102 launches additional 
selected ones of sensors 104a-104n to perform the additional monitoring to 
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collect additional data to confirm that indeed the network link of interest is being 
misused and fig. 5, step 506-508). 

Anderson lacks or does not expressly disclose developing activity models 
representative of activities of said network. However, Lin discloses developing 
activity models representative of activities of said network (col. 1 , lines 30-42). It 
would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the system of Anderson with the activity models of 
Lin in order to monitor the health of the network, as taught by Lin (col. 1 , lines 30- 
42). 

Regarding claim 3, Anderson as modified above discloses the system of claim 2, 
wherein said agents comprise a plurality of distributed agents (fig. 1, sensors 
104). 

Regarding claim 4, Anderson as modified above discloses the system of claim 2, 
wherein said data collection means collects data representative of operation of 
said computer network, including respective nodes in said computer network, 
said data relating to communications, internal and external accesses, code 
execution functions, and/or network resource conditions of respective nodes in 
said computer network 010025). 

Regarding claim 5, Anderson as modified above discloses the system of claim 2. 
Lin further discloses wherein said activity models characterize conditions within 
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said computer network including behaviors, events, and/or functions of 
respective nodes of said computer network, said behaviors representative of said 
normal state and one or more abnormal states representative of suspicious 
activity in said computer network (fig. 3, network wide activity model). 

Regarding claim 6, Anderson as modified above discloses the system of claim 2, 
further comprising means for characterizing the state of the computer network 
and identifying any potential threats based on said collected data (fig. 2, step 
206). 

Regarding claim 7, Anderson as modified above discloses the system of claim 6, 
wherein said characterizing means further recommends remedial repair and/or 
recovery strategies to isolate and/or neutralize the identified potential threats to 
the computer system (fig. 2, steps 214-218). 

Regarding claim 8, Anderson as modified above discloses the system of claim 2, 
wherein respective agents are connected by redundant communications 
connections (fig. 1, sensors 104 and routing devices 106). 

Regarding claim 9, Anderson as modified above discloses the system of claim 2, 
wherein each agent is implemented in redundant memory and hardware that is 
adapted to be insulated from infected components of said computer network (fig. 
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Regarding claim 10, Anderson as modified above discloses the system of claim 
2, wherein the agents are disposed in a hierarchical structure whereby 
communications from bottom level agents to agents at higher levels in the 
hierarchy are limited (H0022). 

Regarding claim 1 1 , Anderson as modified above discloses the system of claim 
2, further comprising means for predictively modeling the behavior of said 
computer network based on sequentially occurring behavior patterns in the data 
collected by said data collection means fl[0040). 

Regarding claim 12, Anderson as modified above discloses the system of claim 
2. Lin further discloses wherein said comparing means comprises means for 
pattern matching collected data with data in said activity models to determine a 
closest activity model based upon similarity of the data in each data model with 
the collected data (fig. 3, state of the network wide model). 

Regarding claim 13, Anderson as modified above discloses the system of claim 
2, wherein the collected data represents actions of a virus, system responses to 
actions of a virus, actions of a hacker, system responses to actions of a hacker, 
threats directed to discrete objects in said computer network, and/or potential 
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triggers of a virus or threat to said computer network (U0032, network misuse). 

Regarding claim 14, Anderson as modified above discloses the system of claim 
2. Lin further discloses wherein said analyzing means for each agent filters and 
analyzes received data and dynamically redistributes the analyzed and filtered 
data to other agents associated with said each agent (col. 6, lines 2-11). 

Regarding claim 16, Anderson as modified above discloses the system of claim 
2, wherein the comparing means compares names and email addresses in said 
collected data against known criminal, hoaxsters and/or aliases for known 
criminals and hoaxsters fl[0005). 

Regarding claim 17, Anderson as modified above discloses the system of claim 
2, further comprising a trusted server that receives attack data from a plurality of 
agents identifying abnormal states indicative of a network attack, said trusted 
server gathering the attack data and sending warnings to selected nodes in said 
computer network (fig. 6, alert). 

Regarding claim 19, Anderson as modified above discloses the method of claim 
18, wherein the agents report any suspicious activity that exceeds a suspicion 
threshold (U0032, user define threshold). 
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Regarding claim 20, Anderson as modified above discloses the method of claim 

19, wherein the agents transmit said analyzed data in order to determine an 
origin of the suspicious activity in the computer network 010032). 

Regarding claim 21 , Anderson as modified above discloses the method of claim 

20, further comprising scanning said analyzed data for patterns and comparing 
said patterns to data representative of patterns of known threats to said computer 
network for identification of said suspicious activity (1J0032). 

Conclusion 

The examiner has pointed out particular references contained in the prior art of 
record in the body of this action for the convenience of the applicant. Although 
the specified citations are representative of the teachings in the art and are 
applied to the specific limitations within the individual claim, other passages and 
figures may apply as well. Applicant should consider the entire prior art as 
applicable as to the limitations of the claims. It is respectfully requested from the 
applicant, in preparing the response, to consider fully the entire references as 
potentially teaching all or part of the claimed invention, as well as the context of 
the passage as taught by the prior arts or disclosed by the examiner. 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to AUBREY H. WYSZYNSKI whose telephone 
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number is (571 )272-81 55. The examiner can normally be reached on Monday - 
Thursday, and alternate Friday's. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kambiz Zand can be reached on (571 )272-381 1 . The fax 
phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786- 
9199 (IN USA OR CANADA) or 571-272-1000. 

/Aubrey H Wyszynski/ 
Examiner, Art Unit 2434 

/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2434 



